Facebook Bug Bounty 2014, X-XSS and Filter Evasion worth 7500$

6:04 AM

This is the second part of the series on how I found an XSS in Facebook. I wrote about the firstbug here. It was a Linkshim evasion and URL redirection bug. I used “../http://site.com” in the continue parameter for redirection, bypassing the Linkshim and I explained how there.

After Facebook triaged my bug, promised me a 1000$ bounty and after fixing the issue, I just realized something. The bug could have been a cross site scripting issue. How? well, I don't know how the hell I missed this in the first place but when you give Linkshim “../http://site.com”to sanitize, the parameter renders the following code (first bug)

For those of you who can’t do base64 decode in your head , that is equivalent to“<script>alert(“XSS”);</script>” and I put the hash (#) tag behind to make sure other parametersfollowing it can be ignored as not a part of the Base64

Or simply by giving the parameter “../javascript:alert(0);//”, that will create a code

<a href=”javascript:alert(0);//”>Continue</a>

The above href attribute is properly sanitized and htmlentitied. But since both the functionshtmlentities() and htmlspecailchars() don’t filter the above payload it was possible to execute areflective XSS when a user clicked the Continue button. And the final payload would looksomething like

So simple and effective. I reported this after the URL redirection has been fixed (making itimpossible to verify the XSS) but FB security was kind enough to understand the issue thiscould’ve made and reconsider the first bounty to 2 type of injections in one parameter(XSS, Open Redirection / Linkshim Evade) and raise the bounty up to 7500$.

I would like to thank Facebook for the generous amount and for launching the white hat program.

Yeah, I created the other tool to allow manual testers to be able to test a mainly form-based application for csrf vulnerabilities. We were trying to retrofit an application with a custom framework to be protected from CSRF attacksfacebook

About Paulos

I am currently specializing in application security and client side offensive exploit research. I really enjoy breaking things. I occasionally do bug bounties, with notable references such as Coinbase, Facebook,Twitter& more.